Index connector and action


Index connector and actionedit

The index connector will index a document into Elasticsearch. See also the create index API.

Connector configurationedit

Index connectors have the following configuration properties.

The name of the connector. The name is used to identify a connector in the management UI connector listing, or in the connector list when configuring an action.
The Elasticsearch index to be written to.
Setting for the refresh policy for the write request.
Execution time field
This field will be automatically set to the time the alert condition was detected.

Preconfigured connector typeedit

   name: preconfigured-index-connector-type
   actionTypeId: .index
     index: .kibana
     refresh: true
     executionTimeField: somedate

Config defines information for the connector type.

A string that corresponds to Index.
A boolean that corresponds to Refresh. Defaults to false.
A string that corresponds to Execution time field.

Define connector in Stack Managementedit

Define Index connector properties.

Index connector

Test Index action parameters.

Index params test

Action configurationedit

Index actions have the following properties.

The document to index in JSON format.


Example of the index document for Index Threshold rule:

    "rule_id": "{{}}",
    "rule_name": "{{}}",
    "alert_id": "{{}}",
    "context_message": "{{context.message}}"

Example of creating a test index using the API.

PUT test
    "settings" : {
        "number_of_shards" : 1
    "mappings" : {
        "properties" : {
            "rule_id" : { "type" : "text" },
            "rule_name" : { "type" : "text" },
            "alert_id" : { "type" : "text" },
            "context_message": { "type" : "text" }

Alert history Elasticsearch index connectoredit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Kibana offers a preconfigured index connector to facilitate indexing active alert data into Elasticsearch.

This functionality is in technical preview and may be changed or removed completely in a future release.

To use this connector, set the xpack.actions.preconfiguredAlertHistoryEsIndex configuration to true.

  xpack.actions.preconfiguredAlertHistoryEsIndex: true

When creating a new rule, add an Index action and select the Alert history Elasticsearch index (preconfigured) connector.

Select pre-configured alert history connectors

Documents are indexed using a preconfigured schema that captures the action variables available for the rule. By default, these documents are indexed into the kibana-alert-history-default index, but you can specify a different index. Index names must start with kibana-alert-history- to take advantage of the preconfigured alert history index template.

To write documents to the preconfigured index, you must have all or write privileges to the kibana-alert-history-* indices. Refer to Kibana role management for more information.

The kibana-alert-history-* indices are not configured to use ILM so they must be maintained manually. If the index size grows large, consider using the delete by query API to clean up older documents in the index.